Hackers Stole Info from Up to 1.5 Million Credit Card Accounts

Global Payments Inc., the credit-card processor that reported a significant security breach Friday, said that hackers stole account numbers and other key information from up to 1.5 million accounts in North America.

Source: Source: WSJ | Published on April 2, 2012

The news, released Sunday night in a statement, came after the company received a fresh blow over the weekend when Visa Inc. yanked its seal of approval from the company.
was the first time that Global Payments disclosed details of the breach. The company didn't say how the intruders got access to the information.

Such information can be used to create counterfeit cards. Global Payments also said that the thieves "exported" the information, which is typically more serious than hackers who are only able to break in and view the data. The company said that criminals didn't obtain cardholder names, addresses and Social Security numbers.

"Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained," the company said.

Over the weekend, Visa removed Global Payments from a list of hundreds of companies that it considers to be "compliant service providers," according to the list that was reviewed by The Wall Street Journal. Such companies act as middlemen between merchants and banks in the complex industry of electronic payments.

Visa confirmed that it removed the company from the list "based on Global Payments' reported unauthorized access." Visa said it has asked Global Payments to submit new validation showing that it complies with industry security standards.

The move by Visa, which is rare in the industry, essentially serves as a warning to merchants that Global Payments, which processes credit-, debit- and gift-card transactions, no longer meets Visa's standards for security. It isn't clear if Visa has knowledge of a hole in Global Payments' security network that allowed intruders to access information.

Amy Corn, a spokeswoman for Global Payments, confirmed that the company had been advised by Visa that it had been removed from the list.

"We expect to be reinstated once we have been issued a new report of compliance," Ms. Corn said. She didn't say when the company expects that to occur.

"We continue to process transactions for our merchants and our customers with the same efficiency and care they have come to expect," she said.

The move doesn't stop Global Payments from processing transactions but could make potential customers leery of doing business with the company, according to people who are involved in the card-security industry.

The impact on Global Payments' existing customers wasn't immediately known.

As of Sunday afternoon, Visa rival MasterCard Inc. MA +1.82% hadn't removed Global Payments from its version of the same list. The payments network, based in Purchase, N.Y., said that it was awaiting the results of an investigation into the breach by an external independent forensics firm.

Based on information in that report, "MasterCard will consider appropriate actions," the company said in a statement.

Global Payments was the nation's seventh-largest "merchant acquirer" in the U.S. last year, according to the Nilson Report, a newsletter in Carpinteria, Calif., that tracks the payments industry. Global Payments handled $120.6 billion in Visa and MasterCard card volume last year, according to the newsletter.

Visa and MasterCard began alerting card-issuing banks in recent days that consumer-transaction data could be at risk due to a breach at a so-called third-party processor. Visa told the banks that the cards were exposed between Jan. 21 and Feb. 25, according to a memo reviewed by The Wall Street Journal.

Cardholders typically aren't liable for unauthorized purchases, but any type of identity theft is often troublesome and time-consuming for its victims.

Banks said on Friday that they were monitoring accounts for suspicious activities. It wasn't known if they had seen any fraudulent transactions related to the breach or had started reissuing cards.

Global Payments has scheduled a conference call for Monday morning, but it isn't clear how much information the company will provide.

Although Visa's removal of Global Payments from its list of approved processors is significant, the San Francisco-based company has taken more draconian moves against processors in the past.

In 2005, Visa announced it would cut ties with CardSystems Solutions Inc. after the payment-processing company left 40 million credit-and-debit accounts vulnerable to hackers in a massive breach. The move later became moot when CardSystems sold its assets to another company. Global

Payments had been on Visa's list of compliant processors as late as Friday afternoon. It was listed as having met Visa's standards as of July 31, 2011, for a slew of card-processing capabilities, including card authorizations, clearing and settlement, as well as the processing of transactions on cards that have a magnetic stripe on the back.

Visa's list of compliant providers, which is published on its website, runs 83 pages.

Like other processors in an industry that has been plagued by data breaches, Global Payments stresses its security with customers.

"With every transaction, with every service, with every product and every system, Global Payments puts trust in every transaction," the company says on its website.

Global Payments shares tumbled 9% to $47.50 a share on the New York Stock Exchange Friday. The stock was halted at midday after the Journal identified the company as being the target of the breach. It didn't resume trading.